b"                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n                                   Final Audit Report\n\nSubject:\n\n\n\n\n               AUDIT OF INFORMATION SYSTEMS\n            GENERAL AND APPLICATION CONTROLS AT\n             HAWAII MEDICAL SERVICE ASSOCIATION\n\n\n                                            Report No. 1D-97-00-12-012\n\n                                            Date:                October 17, 2012\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                                       Audit Report\n\n\n              FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                         CONTRACTS 1058 & 1039\n                         HAWAII MEDICAL SERVICE ASSOCIATION\n                            PLAN CODES 871 / 872 / 104 / 105 / 111 / 112\n                                               HONOLULU, HAWAII\n\n\n\n                                            Report No. 1D-97-00-12-012\n\n                                           Date:                10/17/12\n\n\n\n\n                                                                                             ________________________\n                                                                                             Michael R. Esser\n                                                                                             Assistant Inspector General\n                                                                                               for Audits\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                  Executive Summary\n\n\n          FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                     CONTRACTS 1058 & 1039\n                  HAWAII MEDICAL SERVICE ASSOCIATION\n                    PLAN CODES 871 / 872 / 104 / 105 / 111 / 112\n                                 HONOLULU, HAWAII\n\n\n\n\n                              Report No. 1D-97-00-12-012\n\n                              Date:          10/17/12\n\n\n\nThis final report discusses the results of our audit of general and application controls over the\ninformation systems at Hawaii Medical Service Association (HMSA). HMSA has two separate\nplans that service federal employees, an experience rated Health Maintenance Organization plan\nreferred to as FED87 and a nationwide fee-for-service plan sponsored by the BlueCross and\nBlueShield Federal Employee Program (FEP).\n\nOur audit focused on the claims processing applications used to adjudicate Federal Employees\nHealth Benefits Program (FEHBP) claims for HMSA, as well as the various processes and\ninformation technology (IT) systems used to support these applications. We documented\ncontrols in place and opportunities for improvement in each of the areas below.\n\nSecurity Management\nHMSA has established a series of IT policies and procedures to create an awareness of IT\nsecurity at the Plan. We also verified that HMSA has adequate human resources policies related\nto the security aspects of hiring, training, transferring, and terminating employees.\n\nAccess Controls\nHMSA has implemented numerous controls to add and remove physical access to its data center,\nas well as logical controls to encrypt sensitive information. However, we did note several\nopportunities for improvement related to HMSA\xe2\x80\x99s physical and logical access controls such as\n\n\n                                                i\n\x0cauthentication controls over physical access to the data centers and the process for removing\nlogical access for terminated employees. HMSA has since remediated these weaknesses.\n\nConfiguration Management\nHMSA has developed formal policies and procedures providing guidance to ensure that system\nsoftware is appropriately configured and updated, as well as for controlling system software\nconfiguration changes. However, we noted several weaknesses in HMSA\xe2\x80\x99s configuration\nmanagement program related to application patching. HMSA has since remediated the identified\nweaknesses.\n\nContingency Planning\nWe reviewed HMSA\xe2\x80\x99s business continuity plans and concluded that they contained most of the\nkey elements suggested by relevant guidance and publications. We also determined that these\ndocuments are reviewed and updated on a periodic basis. However, HMSA\xe2\x80\x99s generator\nsupporting the main facility does not have the capacity to support the data center in the event of a\ndisaster.\n\nClaims Adjudication\nHMSA has implemented many controls in its claims adjudication process to ensure that FEHBP\nclaims are processed accurately. However, we recommended that HMSA implement several\nsystem modifications to ensure that its claims processing systems adjudicate FEHBP claims in a\nmanner consistent with the OPM contract and other regulations.\n\nHealth Insurance Portability and Accountability Act (HIPAA)\nNothing came to our attention that caused us to believe that HMSA is not in compliance with the\nHIPAA security, privacy, and national provider identifier regulations.\n\n\n\n\n                                                 ii\n\x0c                                                                  Contents\n                                                                                                                                                Page\nExecutive Summary ............................................................................................................................ i\n      I. Introduction ............................................................................................................................. 1\n         Background ............................................................................................................................. 1\n         Objectives ............................................................................................................................... 1\n         Scope ....................................................................................................................................... 2\n         Methodology ........................................................................................................................... 2\n         Compliance with Laws and Regulations................................................................................. 3\n      II. Audit Findings and Recommendations .................................................................................. 4\n         A. Security Management ........................................................................................................ 4\n         B. Access Controls .................................................................................................................. 4\n         C. Configuration Management................................................................................................ 7\n         D. Contingency Planning ........................................................................................................ 9\n         E. Claims Adjudication ......................................................................................................... 10\n         F. Health Insurance Portability and Accountability Act ....................................................... 17\n      III. Major Contributors to This Report ..................................................................................... 19\n\n  Appendix: Hawaii Medical Service Association\xe2\x80\x99s June 29, 2012 response to the draft audit\n  report issued May 2, 2012.\n\x0c                                      I. Introduction\nThis final report details the findings, conclusions, and recommendations resulting from the audit\nof general and application controls over the information systems responsible for processing\nFederal Employees Health Benefits Program (FEHBP) claims at Hawaii Medical Service\nAssociation (HMSA).\n\nThe audit was conducted pursuant to FEHBP contracts CS 1039 and CS 1058; 5 U.S.C. Chapter\n89; and 5 Code of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by\nthe U.S. Office of Personnel Management\xe2\x80\x99s (OPM) Office of the Inspector General (OIG), as\nestablished by the Inspector General Act of 1978, as amended.\n\nBackground\nThe FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on\nSeptember 28, 1959. The FEHBP was created to provide health insurance benefits for federal\nemployees, annuitants, and qualified dependents. The provisions of the Act are implemented by\nOPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance\ncoverage is made available through contracts with various carriers that provide service benefits,\nindemnity benefits, or comprehensive medical services.\n\nThis was our first audit of HMSA\xe2\x80\x99s general and application controls. We also reviewed\nHMSA\xe2\x80\x99s compliance with the Health Insurance Portability and Accountability Act (HIPAA).\n\nThe business processes related to the scope of this audit are primarily located at HMSA\xe2\x80\x99s\nHonolulu, Hawaii facility. HMSA has two data centers supporting FEHBP processes on the\nisland of Oahu. Employees responsible for processing FEHBP claims are predominantly located\nin Honolulu, Hawaii.\n\nAll HMSA personnel that worked with the auditors were particularly helpful and open to ideas\nand suggestions. They viewed the audit as an opportunity to examine practices and to make\nchanges or improvements as necessary. Their positive attitude and helpfulness throughout the\naudit was greatly appreciated.\n\nObjectives\nThe objectives of this audit were to evaluate controls over the confidentiality, integrity, and\navailability of FEHBP data processed and maintained in HMSA\xe2\x80\x99s information technology (IT)\nenvironment.\n\n\n\n\n                                                1\n\x0cThese objectives were accomplished by reviewing the following areas:\n\xe2\x80\xa2 Security management;\n\xe2\x80\xa2 Access controls;\n\xe2\x80\xa2 Segregation of duties;\n\xe2\x80\xa2 Configuration management;\n\xe2\x80\xa2 Contingency planning;\n\xe2\x80\xa2 Application controls specific to HMSA\xe2\x80\x99s claims processing systems; and,\n\xe2\x80\xa2 HIPAA compliance.\n\nScope\nThis performance audit was conducted in accordance with generally accepted government\nauditing standards issued by the Comptroller General of the United States. Accordingly, we\nobtained an understanding of HMSA\xe2\x80\x99s internal controls through interviews and observations, as\nwell as inspection of various documents, including information technology and other related\norganizational policies and procedures. This understanding of HMSA\xe2\x80\x99s internal controls was\nused in planning the audit by determining the extent of compliance testing and other auditing\nprocedures necessary to verify that the internal controls were properly designed, placed in\noperation, and effective.\n\nHMSA has two separate plans that service federal employees, an experience rated Health\nMaintenance Organization plan referred to as FED87 and a nationwide fee-for-service plan\nsponsored by the BlueCross and BlueShield Federal Employee Program (FEP).\n\nThe scope of this audit centered on the information systems used by HMSA to process medical\ninsurance claims for FEHBP members, with a primary focus on the QCSI New Extensible\nTechnology (QNXT) and FEP Express claims adjudication applications. The QNXT system\nprocesses claims for both the FED87 and FEP Plans, and FEP Express performs additional\nadjudication on FEP claims. The business processes reviewed are primarily located in HMSA\xe2\x80\x99s\nHonolulu, Hawaii facility.\n\nThe on-site portion of this audit was performed in January and February of 2012. We completed\nadditional audit work before and after the on-site visit at our office in Washington, D.C. The\nfindings, recommendations, and conclusions outlined in this report are based on the status of\ninformation system general and application controls in place at HMSA as of March 20, 2012.\n\nIn conducting our audit, we relied to varying degrees on computer-generated data provided by\nHMSA. Due to time constraints, we did not verify the reliability of the data used to complete\nsome of our audit steps but we determined that it was adequate to achieve our audit objectives.\nHowever, when our objective was to assess computer-generated data, we completed audit steps\nnecessary to obtain evidence that the data was valid and reliable.\n\nMethodology\nIn conducting this review we:\n\xe2\x80\xa2   Gathered documentation and conducted interviews;\n\n                                               2\n\x0c\xe2\x80\xa2   Reviewed HMSA\xe2\x80\x99s business structure and environment;\n\xe2\x80\xa2   Performed a risk assessment of HMSA\xe2\x80\x99s information systems environment and applications,\n    and prepared an audit program based on the assessment and the Government Accountability\n    Office's (GAO) Federal Information System Controls Audit Manual (FISCAM); and\n\xe2\x80\xa2   Conducted various compliance tests to determine the extent to which established controls and\n    procedures are functioning as intended. As appropriate, we used judgmental sampling in\n    completing our compliance testing.\n\nVarious laws, regulations, and industry standards were used as a guide to evaluating HMSA\xe2\x80\x99s\ncontrol structure. This criteria includes, but is not limited to, the following publications:\n\xe2\x80\xa2 Office of Management and Budget (OMB) Circular A-130, Appendix III;\n\xe2\x80\xa2 OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of\n   Personally Identifiable Information;\n\xe2\x80\xa2 Information Technology Governance Institute\xe2\x80\x99s CobiT: Control Objectives for Information\n   and Related Technology;\n\xe2\x80\xa2 GAO\xe2\x80\x99s Federal Information System Controls Audit Manual;\n\xe2\x80\xa2 National Institute of Standards and Technology\xe2\x80\x99s Special Publication (NIST SP) 800-12,\n   Introduction to Computer Security;\n\xe2\x80\xa2 NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\n   Technology Systems;\n\xe2\x80\xa2 NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2 NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2 NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;\n\xe2\x80\xa2 NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n   Systems;\n\xe2\x80\xa2 NIST SP 800-61, Computer Security Incident Handling Guide;\n\xe2\x80\xa2 NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA\n   Security Rule; and\n\xe2\x80\xa2 HIPAA Act of 1996.\n\nCompliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether HMSA\xe2\x80\x99s practices were\nconsistent with applicable standards. While generally compliant, with respect to the items tested,\nHMSA was not in complete compliance with all standards as described in the \xe2\x80\x9cAudit Findings\nand Recommendations\xe2\x80\x9d section of this report.\n\n\n\n\n                                                3\n\x0c                      II. Audit Findings and Recommendations\n\nA. Security Management\n   The security management component of this audit involved the examination of the policies and\n   procedures that are the foundation of HMSA\xe2\x80\x99s overall IT security controls. We evaluated\n   HMSA\xe2\x80\x99s ability to develop security policies, manage risk, assign security-related responsibility,\n   and monitor the effectiveness of various system-related controls.\n\n   HMSA has implemented a series of formal policies and procedures that comprise its security\n   management program. HMSA\xe2\x80\x99s Information Protection Unit is responsible for creating,\n   reviewing, editing, and disseminating IT security policies. HMSA has also developed a thorough\n   risk management methodology, and has procedures to document, track, and mitigate or accept\n   identified risks. We also reviewed HMSA\xe2\x80\x99s human resources policies and procedures related to\n   hiring, training, transferring, and terminating employees.\n\n   Nothing came to our attention to indicate that HMSA does not have an adequate security\n   management program.\n\nB. Access Controls\n   Access controls are the policies, procedures, and techniques used to prevent or detect\n   unauthorized physical or logical access to sensitive resources.\n\n   We examined the physical access controls at HMSA\xe2\x80\x99s Honolulu headquarters building and its\n   data centers in Honolulu and Kapolei, Hawaii. We also examined the logical controls protecting\n   sensitive data on HMSA\xe2\x80\x99s network environment and claims processing applications.\n   Furthermore, we conducted an automated network topology scan to verify that all known assets\n   were included within HMSA\xe2\x80\x99s system inventory list.\n\n   The access controls observed during this audit include, but are not limited to:\n   \xe2\x80\xa2   procedures for appropriately granting physical access to facilities and data centers;\n   \xe2\x80\xa2   procedures for revoking access to data centers for terminated employees;\n   \xe2\x80\xa2   procedures for removing Windows/network access for terminated employees; and,\n   \xe2\x80\xa2   controls to monitor and filter email and Internet activity.\n\n   However, the following sections document several opportunities for improvement related to\n   HMSA\xe2\x80\x99s physical and logical access controls.\n\n   1. Access to Data Center\n       HMSA\xe2\x80\x99s primary and back-up data centers use electronic card readers and stand-alone cipher\n       locks to control physical access. However, we expect all FEHBP contractors to also have\n       multi-factor authentication (e.g., cipher lock or biometric device in addition to an access\n       card) at data center entrances. In addition to implementing these minimum controls, HMSA\n       should analyze the benefit of implementing the common physical access controls listed\n       below that we typically see at other FEHBP carrier facilities.\n\n\n                                                    4\n\x0c   \xe2\x80\xa2   video monitoring capabilities (limited video monitoring is in place, but there are several\n       blind spots within the computer room);\n   \xe2\x80\xa2   piggybacking alarms to enter the computer room (alarm that sounds if more than one\n       person walks past a sensor for each access card that is swiped);\n   \xe2\x80\xa2   \xe2\x80\x9cman-trap\xe2\x80\x9d entrances (small space with two locking doors where the first door must close\n       before the second opens); and,\n   \xe2\x80\xa2   automated data center access logs (device that monitors and records access attempts).\n\n   Failure to implement adequate physical access controls increases the risk that unauthorized\n   individuals can gain access to HMSA data centers and the sensitive IT resources and\n   confidential data they contain. NIST SP 800-53 Revision 3, \xe2\x80\x9cRecommended Security\n   Controls for Federal Information Systems and Organizations,\xe2\x80\x9d provides guidance for\n   adequately controlling physical access to information systems containing sensitive data.\n\n   Recommendation 1\n   We recommend that HMSA reassess its data centers\xe2\x80\x99 physical access management and\n   implement controls that will ensure proper physical security. At a minimum, HMSA should\n   implement multi-factor authentication (e.g., cipher lock or biometric device in addition to an\n   access card) at data center entrances.\n\n   HMSA Response:\n   \xe2\x80\x9cHMSA agrees with the recommendation. Effective June 22, 2012, HMSA installed a\n   cypher lock to be used with the existing electronic badge reader, at the Keeaumoku (main)\n   data center. Individuals must now enter their unique code into the cypher lock and have\n   the electronic badge reader authenticate their unique badge before entering the data\n   center. Also effective June 22, 2012, HMSA installed an electronic badge reader to be\n   used with the existing cypher lock at the Kapolei (second) data center. Individuals must\n   now have the electronic badge reader authenticate their unique badge and enter their\n   unique code into the cypher lock before entering the data center.\xe2\x80\x9d\n\n   OIG Reply:\n   The evidence provided by HMSA in response to the draft audit report indicates that the Plan\n   has implemented multi-factor authentication at data center entrances; no further action is\n   required.\n\n2. Auditing/Monitoring of the HHIN Web Application\n   HMSA\xe2\x80\x99s Hawaii Healthcare Information Network (HHIN) web application allows medical\n   providers to access and review HMSA member information. HMSA\xe2\x80\x99s access controls over\n   its HHIN application include:\n   \xe2\x80\xa2   requiring providers to sign an Electronic Trading Partner Agreement, which establishes\n       confidentiality and security requirements;\n   \xe2\x80\xa2   requiring providers to sign the HMSA Access Request and Contract to Preserve\n       Confidential Information; and,\n   \xe2\x80\xa2   providing application training upon request.\n\n\n                                                5\n\x0c   Although the process for granting access to the HHIN application has adequate controls in\n   place, there is no auditing or monitoring process in place to ensure that user access to the\n   application remains appropriate. HMSA is in the process of implementing an auditing and\n   monitoring process for HHIN, but it has not been fully implemented at this time.\n\n   Failure to routinely audit or monitor the application increases the risk an unauthorized user\n   can gain access to confidential and personal member information. NIST SP 800-53 states\n   that an organization should disable or remove accounts that no longer require access to the\n   information system.\n\n   Recommendation 2\n   We recommend HMSA implement an audit/monitoring process for the HHIN application.\n\n   HMSA Response:\n   \xe2\x80\x9cHMSA agrees with the recommendation. HMSA implemented a formal audit/monitoring\n   process for the HHIN application to ensure that user access to the application remains\n   appropriate. This process has been documented and was implemented as of June 20,\n   2012. In addition, an initial review and deletion of terminated provider IDs was completed\n   as of June 15, 2012.\xe2\x80\x9d\n\n   OIG Reply:\n   The evidence provided by HMSA in response to the draft audit report indicates that the Plan\n   has implemented an auditing process for the HHIN application; no further action is required.\n\n3. Logical Access Management\n   We conducted a series of logical access control tests for five separate HMSA applications.\n   For one test we compared a list of terminated employees to active user lists for each\n   application, and discovered that several systems still had active user accounts for terminated\n   employees. HMSA indicated that human error was the reason for the failure to remove access\n   of those terminated employees.\n\n   Although HMSA corrected all identified errors, our findings indicate that HMSA\xe2\x80\x99s process to\n   routinely audit application user accounts is not effective. HMSA is currently evaluating the\n   access removal process to identify ways to reduce the potential for human error.\n\n   FISCAM states that \xe2\x80\x9cInactive accounts and accounts for terminated individuals should be\n   disabled or removed in a timely manner.\xe2\x80\x9d Failure to promptly remove system and\n   application access after termination increases the risk a terminated employee could access\n   and corrupt sensitive and proprietary information.\n\n   Recommendation 3\n   We recommend HMSA improve the existing audit process by routinely comparing the\n   termination list to the active user lists for claims processing systems and applications.\n\n\n                                                6\n\x0c      HMSA Response:\n      \xe2\x80\x9cHMSA agrees with the recommendation. Effective February 1, 2012, the existing audit\n      process was remediated. The process now requires the Information Privacy & Protection\n      department and Human Resources to enter upcoming terminations into a collaboration\n      site on the intranet (Sharepoint site) to track terminations. The site will send automated\n      alerts to the Access Management unit and will escalate to management if action has not\n      been taken on a timely basis.\xe2\x80\x9d\n\n      OIG Reply:\n      The evidence provided by HMSA in response to the draft audit report indicates that the Plan\n      has improved the existing terminated user audit process. While the new process does not\n      involve comparing the termination list to the active user list, the evidence indicates that the\n      new process is an effective control; no further action is required.\n\nC. Configuration Management\n  HMSA uses a third party application called QCSI New Extensible Technology (QNXT) to\n  adjudicate claims. This system is housed on a Microsoft Windows server with Microsoft SQL\n  Server databases. We evaluated HMSA\xe2\x80\x99s management of the configuration of its server\n  environment and determined that the following controls were in place:\n  \xe2\x80\xa2   policies for ensuring that operating platforms are securely configured;\n  \xe2\x80\xa2   controls for securely managing changes to the operating platform and claims processing\n      application;\n  \xe2\x80\xa2   controls for monitoring privileged user activity on the operating platform; and,\n  \xe2\x80\xa2   documented patch management procedures.\n\n  The sections below document areas for improvement related to HMSA\xe2\x80\x99s configuration\n  management controls.\n\n  1. Application Level Patching\n      We conducted a vulnerability scan on 19 HMSA production servers and 2 databases using\n      automated tools. We discovered several weaknesses related to missing or outdated critical\n      patches on applications residing on production servers (e.g., IBM Tivoli Storage Manager,\n      Microsoft Office, and Wireshark). HMSA has documented patch management procedures,\n      and although it appears to adequately patch the servers\xe2\x80\x99 operating systems, it does not\n      prioritize application level patching. HMSA is currently in the process of developing and\n      implementing an Application Patch Cycle process that will address patching for both in-\n      house developed applications and third party vendor applications by October 31, 2012.\n\n      FISCAM states that \xe2\x80\x9cSoftware should be scanned and updated frequently to guard against\n      known vulnerabilities.\xe2\x80\x9d NIST SP 800-53 states \xe2\x80\x9cThe organization (including any contractor\n      to the organization) promptly installs security-relevant software updates (e.g., patches,\n      service packs, and hot fixes). Flaws discovered during security assessments, continuous\n      monitoring, incident response activities, or information system error handling, are also\n      addressed expeditiously.\xe2\x80\x9d\n\n\n                                                   7\n\x0c   Failure to promptly install patches increases the risk that vulnerabilities will not be\n   remediated and sensitive information could be stolen.\n\n   Recommendation 4\n   We recommend HMSA develop and implement an Application Patch Cycle process.\n\n   HMSA Response:\n   \xe2\x80\x9cHMSA agrees with the recommendation. As of June 15, 2012, the Tivoli Storage\n   Manager, Wireshark, and Microsoft Office servers identified in the finding have been\n   either upgraded or removed. As of June 20, 2012, HMSA formalized and implemented its\n   Windows Server Compliance and Remediation process that encompasses all Microsoft\n   installed products. This process includes the application of all security related patches at\n   both the operating system and application levels.\xe2\x80\x9d\n\n   OIG Reply:\n   The evidence provided by HMSA in response to the draft audit report indicates that the Plan\n   has developed and implemented an application patch cycle process; no further action is\n   required.\n\n2. Unsupported System Software\n   HMSA is currently using system software (Windows 2000 and Microsoft IIS 5.0) that is no\n   longer supported by its vendor. HMSA is in the process of decommissioning and retiring the\n   servers that house the unsupported software.\n\n   FISCAM states that \xe2\x80\x9cAll vendor supplied system software should be supported by the\n   vendor.\xe2\x80\x9d Additionally, \xe2\x80\x9cOutdated versions of system software should be removed from the\n   production environment to preclude their use.\xe2\x80\x9d\n\n   Failure to remove unsupported system software increases the risk of an attack that exploits\n   the known vulnerabilities within the outdated versions of the software.\n\n   Recommendation 5\n   We recommend HMSA complete the decommissioning of servers that house outdated and\n   unsupported system software.\n\n   HMSA Response:\n   \xe2\x80\x9cHMSA agrees with the recommendation. As of March 31, 2012, the Windows 2000 and\n   Microsoft IIS 5.0 servers have been decommissioned or upgraded.\xe2\x80\x9d\n\n\n\n\n                                                 8\n\x0c      OIG Reply:\n      The evidence provided by HMSA in response to the draft audit report indicates that the Plan\n      has completed decommissioning of servers that house outdated and unsupported system\n      software; no further action is required.\n\nD. Contingency Planning\n  We reviewed the following elements of HMSA\xe2\x80\x99s contingency planning program to determine\n  whether controls were in place to prevent or minimize damage and interruptions to business\n  operations when disastrous events occur:\n  \xe2\x80\xa2   business continuity for several business units and data center operations;\n  \xe2\x80\xa2   disaster recovery plan for the claims processing system;\n  \xe2\x80\xa2   disaster recovery plan tests conducted in conjunction with the recovery site; and,\n  \xe2\x80\xa2   emergency response procedures and training.\n\n  We determined that the service continuity documentation contained the critical elements\n  suggested by NIST SP 800-34, \xe2\x80\x9cContingency Planning Guide for IT Systems.\xe2\x80\x9d HMSA has\n  identified and prioritized the systems and resources that are critical to business operations, and\n  has developed detailed procedures to recover those systems and resources.\n\n  However, one area for improvement was noted during our review of HMSA\xe2\x80\x99s data center. The\n  generator supporting the main facility does not have the capacity to support the data center in the\n  event of a power outage. HMSA is aware of this weakness and is currently working to address\n  this by installing a larger generator that could support data center operations.\n\n  Recommendation 6\n  We recommend that HMSA install a power generator that can maintain data center operations in\n  the event of power loss.\n\n  HMSA Response:\n  \xe2\x80\x9cHMSA agrees with the recommendation. On March 29, 2012, a formal contract to expand\n  the capacity of HMSA's existing generator and UPS was signed with IBM and funds were\n  committed. Installation of the generator requires a zoning variance because changes to the\n  square footage of the building slightly exceeds Code (by 0.26%). The approved application is\n  being submitted as evidence that the project is moving forward. A decision by the planning\n  department is not expected for 90 - 120 days. Because structural changes are required to the\n  building, this effort is expected to complete in the first quarter of calendar year 2013.\xe2\x80\x9d\n\n  OIG Reply:\n  As part of the audit resolution process, we recommend that HMSA continue to update OPM\xe2\x80\x99s\n  Healthcare and Insurance Office (HIO) on its progress in installing the new generator. HMSA\n  should also provide HIO with evidence that the new generator can fully maintain data center\n  operations in the event of a power loss.\n\n\n\n\n                                                   9\n\x0cE. Claims Adjudication\n  The following sections detail our review of the applications and business processes supporting\n  claims adjudication at HMSA.\n\n  Application Configuration Management\n  We evaluated the policies and procedures governing software development and change control of\n  HMSA\xe2\x80\x99s claims processing applications.\n\n  HMSA has policies and procedures related to application configuration management. HMSA\n  has adopted a System Development Life Cycle methodology that IT personnel follow during\n  routine software modifications. We observed the following controls related to testing and\n  approvals of software modifications:\n  \xe2\x80\xa2   HMSA has adopted practices that allow modifications to be tracked throughout the change\n      process;\n  \xe2\x80\xa2   code, unit, system, and quality testing are all conducted in accordance with industry\n      standards; and,\n  \xe2\x80\xa2   HMSA uses a separate business unit to move the code between development and production\n      to ensure adequate segregation of duties.\n\n  Claims Processing System\n  We evaluated the input, processing, and output controls associated with HMSA\xe2\x80\x99s claims\n  adjudication systems. We determined that HMSA has implemented policies and procedures to\n  help ensure that:\n  \xe2\x80\xa2 claims scheduled for payment are actually paid;\n  \xe2\x80\xa2 claims are monitored as they are processed through the systems with real time tracking of the\n    system\xe2\x80\x99s performance; and,\n  \xe2\x80\xa2 paper claims that are received in the mail room are tracked to ensure timely processing (aging\n    reports).\n\n  Enrollment\n  We evaluated HMSA\xe2\x80\x99s procedures for managing its database of member enrollment data. For\n  FEP members, enrollment is handled centrally by the BlueCross BlueShield Association Federal\n  Employee Program Director\xe2\x80\x99s Office (BSBSA), not by HMSA. For the FED87 plan, changes to\n  member enrollment information are received via an encrypted electronic transmission. A report\n  of enrollment changes is generated, and these updates are manually entered into the enrollment\n  database. HMSA has an audit function for each step of the enrollment process that requires\n  manual data manipulation.\n\n  We do not have any concerns regarding HMSA\xe2\x80\x99s enrollment policies and procedures.\n\n\n\n\n                                                 10\n\x0cDebarment\nHMSA has adequate procedures for updating its claim system with debarred provider\ninformation, and the Plan routinely audits its debarment database for accuracy.\n\nHMSA downloads the OPM OIG debarment list every month and compares it to its provider\nmaintenance file. Any debarred providers that appear in HMSA\xe2\x80\x99s provider master database are\nflagged to prevent claims submitted by that provider from processing successfully during the\nclaims adjudication process.\n\nWe do not have any concerns regarding HMSA\xe2\x80\x99s debarment policies and procedures.\n\nSpecial Investigations and Fraud\nHMSA has a sufficient program in place to detect and review potentially fraudulent claims.\n\nWe did determine one area for improvement regarding the reporting of fraudulent cases. HMSA\ncurrently has a process in place to report these cases to the BCBSA on a quarterly and annual\nbasis. While we have no concerns regarding HMSA\xe2\x80\x99s communication with the BCBSA, HMSA\nis not currently reporting cases directly to the OPM OIG Office of Investigations in accordance\nwith OPM FEHBP Program Carrier Letter No. 2007-12. The Carrier Letter provides guidance\non reporting thresholds and timelines that all FEHBP carriers must follow.\n\nRecommendation 7\nWe recommend that HMSA review its policies and procedures regarding the reporting of\npotentially fraudulent cases to OPM OIG to ensure compliance with OPM Carrier Letter 2007-12\nand all subsequent Carrier Letters.\n\nHMSA Response:\n\xe2\x80\x9cHMSA agrees with the recommendation. On September 13, 2011, HMSA implemented\npolicies and procedures to ensure proper reporting of potentially fraudulent cases to OPM\nOIG and compliance with OPM Carrier Letter 2007-12 and all subsequent Carrier\nLetters. HMSA has submitted cases to OPM OIG that met the OPM Carrier Letter 2007-12\ncriteria.\xe2\x80\x9d\n\nOIG Reply:\nOur audit work indicated that the policies and procedures created on September 13, 2011 were\nnot adequately implemented as of March 20, 2012. Subsequent evidence provided by HMSA\nindicates that the procedures are now appropriately implemented and cases are reported to OPM\nOIG in a manner consistent with OPM Carrier Letter 2007-12; no further action is required.\n\nApplication Controls Testing\nWe conducted a test on HMSA\xe2\x80\x99s claims adjudication applications to validate the systems\xe2\x80\x99 claims\nprocessing controls. The exercise involved processing test claims designed with inherent flaws\nand evaluating the manner in which HMSA\xe2\x80\x99s systems adjudicated the claims.\n\n\n\n                                              11\n\x0cThe sections below document opportunities for improvement related to HMSA\xe2\x80\x99s claims\napplication controls.\n\n1. Overlapping Hospital Stays\n   The QNXT system paid duplicate room and board charges on test claims for a member with\n   two overlapping hospital stays.\n\n   The system does not have edits in place to prevent duplicate room and board (R&B) charges\n   for the same time period. We submitted claims for the same member for two instances of\n   R&B at the same facility on the same day. We also submitted claims for the same member\n   for R&B at different facilities on the same day. QNXT inappropriately processed and paid\n   the duplicate services for both sets of claims.\n\n   This system weakness increases the risk that hospitals are being paid for duplicate room and\n   board expenses.\n\n   At the conclusion of the fieldwork phase of our audit, HMSA provided evidence that pre-\n   payment reports are generated that identify possible duplicate inpatient claims billed for both\n   scenarios: overlapping stays at a single facility and different facilities. The implementation\n   of pre-payment reports is an acceptable compensating control, but we were unable to test its\n   effectiveness due to the timing in which this information was provided to us.\n\n   Recommendation 8\n   We recommend that HMSA provide evidence that it is appropriately utilizing pre-payment\n   reports related to overlapping hospital stays over a six month time period.\n\n   HMSA Response:\n   \xe2\x80\x9cHMSA agrees with the recommendation. HMSA applies systematic duplicate editing to\n   overlapping hospital stays billed by the same provider or facility. To supplement the\n   systematic editing, a prepayment report was created to identify overlapping hospital stays\n   billed by different facilities.\n\n   The process includes a review of the prepayment report to ensure that claims with\n   overlapping service dates are not duplicate claims. If the claim contains overlapping\n   service dates, the examiner will determine whether a transfer or re-admission to a second\n   facility occurred and once validated, will allow the claim to pay. If the examiner is unable\n   to validate that a transfer or re-admission to a second facility occurred, the claim will be\n   denied as a duplicate claim.\n\n   The remediation was implemented on February 27, 2012 and OPM has received and\n   acknowledged receipt of the evidence showing implementation of the review. OPM\xe2\x80\x99s\n   request for further documentation spanning the 6 month period February 27, 2012 to\n   August 27, 2012 is not possible due to the OPM imposed deadline for our response of\n   June 30, 2012. As such, HMSA will be submitting the prepayment reports from date of\n   implementation through June 22, 2012.\xe2\x80\x9d\n\n\n                                               12\n\x0c\x0c\x0ccustomary settings such as the ambulatory surgical center, inpatient & outpatient\nhospital, emergency room and military treatment facilities. Below is a description of\nthe two programs:\n\na) Place of Treatment Program (POTP)\n   This program requires certain medical services identified in the POTP be\n   performed in a physician\xe2\x80\x99s office or outpatient setting. If a more acute setting is\n   required, the physician must request precertification prior to rendering\n   services. The lack of precertification will result in the claim being routed for\n   review by HMSA\xe2\x80\x99s in-house medical consultants for determination or returned to\n   the physician with a request for additional information.\n   The following attachment is being provided in relation to this response: . . .\n\nb) Place of Service (POS) Claims Editing\n   HMSA currently uses a vendor package called iCES KnowledgeBase by OPTUM to\n   systematically apply place of service editing on a procedure code level. This vendor\n   package is interfaced with our claims adjudication system, QNXT. The iCES\n   KnowledgeBase edits approximately 86% of CPT and HCPCS procedure codes\n   identified through Medicare Local Coverage Determinations (LCD), Medical\n   National Coverage Determinations (NCD), provider specialty societies and code\n   descriptors.\xe2\x80\x9d\n\nOIG Reply:\nWe continue to recommend that HMSA conduct a thorough review of place of service\ncodes and update the system to ensure claims are processed appropriately. As HMSA\nstated in its reply to the recommendation, the iCES vendor package only edits 86% of\nCTP and HCPCS procedure codes. We subjectively submitted two claims with invalid\nplace of service codes without reviewing any iCES edit documentation. Both of these\nclaims processed without encountering any edits. We are therefore not confident that the\ncurrent vendor packages can adequately detect place of service inconsistencies.\n\nRecommendation 10\nWe recommend that HMSA ensure the appropriate system modifications are made to\nprevent medically inconsistent claims from processing. Furthermore, we request that\nHMSA provide evidence that it is appropriately utilizing these post-payment reports\nrelated to invalid place of service over a six month time period.\n\nHMSA Response:\n\xe2\x80\x9cHMSA partially agrees with the recommendation.\n\n1) HMSA disagrees with the recommendation to implement additional system\nmodifications due to the robustness of HMSA\xe2\x80\x99s existing programs and system edits\noutlined above in our response to Recommendation 9. We believe that the combination\nof the PTOP program, the POS edits and the review of prepayment and post payment\nreports provides adequate coverage to mitigate the risk of overpayment for services\n\n\n                                       15\n\x0c      being performed at possible inappropriate service locations. Please refer to the\n      response provided in Recommendation 9.\n\n      2) HMSA agrees with the request to provide OPM with additional evidence of\n      prepayment and post-payment reports related to Recommendation 9. The remediation\n      was implemented on February 27, 2012 and OPM has received and acknowledged\n      receipt of the evidence showing implementation of the review. OPM\xe2\x80\x99s request for\n      further documentation spanning the 6 month period February 27, 2012 to August 27,\n      2012 is not possible due to the OPM imposed deadline for our response of June 30,\n      2012. As such, HMSA will be submitting samples of the prepayment and post-\n      payment reports from date of implementation through June 22, 2012.\xe2\x80\x9d\n\n      OIG Reply:\n      We have reviewed the provided evidence and agree that pre-payment and post-payment\n      reports have been implemented to detect gender inconsistencies, diagnosis to procedure\n      inconsistencies, and provider to procedure inconsistencies. However, as stated in our\n      reply to recommendation 9, we have not received adequate evidence that the claims\n      adjudication system can adequately detect place of service inconsistencies. Therefore,\n      we continue to recommend that HMSA conduct a full review of place of service codes.\n\n3. Prior Authorization\n   The QNXT system paid a professional claim for                          without receiving the\n   appropriate prior authorization required by the benefit brochure.\n\n   HMSA informed us that they do not require all providers to obtain prior authorization for\n   services. HMSA has a tiered variable intensity precertification review system for their\n   providers and each tier represents a different requirement level for prior authorization.\n\n   This system structure increases the risk that benefits are not being paid in accordance with\n   the benefit brochure for procedures requiring prior authorization.\n\n   Recommendation 11\n   We recommend that HMSA make the appropriate system modifications to ensure that claims\n   without the appropriate prior authorizations are suspended and flagged for review.\n\n   HMSA Response:\n   \xe2\x80\x9cHMSA disagrees with the recommendation. . . .\n\n   HMSA disagrees with the recommendation to make further system modifications to the\n   claims adjudication system since HMSA currently has two approaches to adequately\n   administer the prior authorization (precertification) program as follows:\n\n   1) Most services are handled traditionally, where a claim will be denied without prior\n   authorization. In these cases, the claim will stop processing and pend if an authorization\n   is not present and an adjudicator will validate whether or not a review has been completed.\n\n\n                                               16\n\x0c     If it has, and authorization was denied, the claim will be denied. If no review was\n     requested, a post-service review will be undertaken and the claim processed or denied\n     based on the outcome of the medical necessity review.\n\n     2) Other services are eligible for our variable intensity precertification review program\n     (VIR). For eligible categories of services requiring precertification, the VIR program\n     allows us to pre-certify services efficiently and encourages provider self-monitoring,\n     incenting better quality. Following an intensive data review of a provider\xe2\x80\x99s practice by our\n     medical physicians and consultants, HMSA makes a determination whether the provider\n     qualifies for an annual waiver for a particular service. If they qualify, our claims system\n     allows the claim for the approved service to proceed to payment. Waivers are reviewed at\n     least annually and may be rescinded.\n\n     Specific to claims related to                                        services, HMSA operates\n     a VIR program that has three tiers. Analysis of the number of visits for conditions treated\n     and the intensity of services furnished within each visit are used to stratify the providers\n     into one of three tiers based on their efficiency of utilization and understanding of the\n     member\xe2\x80\x99s benefits. Authorization points vary depending on the tier to which the\n     is assigned. For the claim that was noted as an exception during this audit, the\n                            provider was categorized into an approved tier which allowed\n     automatic precertification of 8 visits per benefit period. Due to the precertification\n     provided by the VIR process, the claim was paid correctly. Thus, we believe no further\n     modification is necessary to our claims adjudication system.\n\n     To provide further clarity within the benefit brochure, HMSA received instructions from\n     the OPM contract office to modify the 2013 benefit brochure to explicitly state that prior\n     authorization is required but is subject to HMSA\xe2\x80\x99s criteria. As of the date of this response,\n     HMSA has acknowledged their instructions and has submitted the modifications to the\n     OPM contract office and is awaiting confirmation.\xe2\x80\x9d\n\n     OIG Reply:\n     As part of the audit resolution process, we recommend that HMSA continue to work with\n     OPM\xe2\x80\x99s Contract Office to ensure that the language in the 2013 benefit brochure\n     appropriately describes prior authorizations related to VIR program.\n\nF. Health Insurance Portability and Accountability Act\n  We reviewed HMSA\xe2\x80\x99s efforts to maintain compliance with the security and privacy standards of\n  HIPAA.\n\n  HMSA has implemented a series of IT security policies and procedures to adequately address the\n  requirements of the HIPAA security rule. HMSA has also developed a series of privacy policies\n  and procedures that address all requirements of the HIPAA privacy rule. HMSA uses HIPAA\n  regulations as the baseline for the creation of its policies. The plan has a designated Privacy\n  Official who is responsible for ensuring HMSA\xe2\x80\x99s compliance with HIPAA Privacy and Security\n\n\n\n\n                                                17\n\x0cregulations. HMSA employees receive annual compliance training that encompasses HIPAA\nregulations.\n\nWe do not have any concerns regarding HMSA\xe2\x80\x99s compliance with the various requirements of\nHIPAA regulations.\n\n\n\n\n                                            18\n\x0c                    III. Major Contributors to This Report\n\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\xe2\x80\xa2                  , Group Chief\n\xe2\x80\xa2                      , Senior Team Leader\n\xe2\x80\xa2                         , Auditor-In-Charge\n\xe2\x80\xa2               , IT Auditor\n\xe2\x80\xa2                    , IT Auditor\n\n\n\n\n                                                19\n\x0c"